DoorDash Reaches CCPA and CalOPPA Settlement With California Attorney General

California Attorney General (AG) Rob Bonta announced a settlement with delivery firm DoorDash over allegations that the company violated the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA).

• DoorDash’s settlement is the second ever reached under the CCPA since Sephora’s in August 2022. The case is also a rare instance of CalOPPA enforcement, alongside actions against Glow in 2020 and Delta Airlines in 2013 (Delta’s order was subsequently overturned).
• AG Bonta found that DoorDash’s disclosure of personal information to a “marketing co-operative” constituted a “sale” but that DoorDash had failed to give consumers notice or the chance to opt out.
• Under the proposed settlement, DoorDash will pay $375,000 and report annually to the AG’s office, along with other compliance requirements.

CalOPPA? Is that still a law?

Although CalOPPA passed way back in 2003 (with an update ten years later)—and has been largely superseded by the CCPA for many businesses—California’s earlier privacy law is still valid.

Compared to the CCPA, CalOPPA is relatively modest, requiring commercial website and app operators to publish a brief privacy policy explaining their data processing practices.

How did DoorDash violate CalOPPA?

In his complaint against DoorDash, AG Bonta alleges that the company’s privacy policy failed to state that DoorDash “disclosed personally identifiable information, like a consumer’s home address, to “marketing co-ops.”

Such a statement is one of six elements of a CalOPPA-compliant privacy policy. Other required information includes the website operator’s identity, the policy’s effective date, and whether the website responds to Do Not Track (DNT) signals.

How did DoorDash violate the CCPA?

AG Bonta alleges that DoorDash’s disclosure of personal information to its marketing co-op partners was a “sale” of personal information under the CCPA. But despite selling personal information, DoorDash apparently failed to tell consumers or offer them an opt-out.

The issue came to light in September 2020 when a DoorDash customer complained online that they had received marketing material from a third party as a result of DoorDash’s activities.

Once sold to the co-op, the customer’s name, address, and transaction history were allegedly “re-sold many times over” by a data broker.

The AG did offer DoorDash a chance to “cure” its alleged violation—to fix the problem and avoid enforcement action. However, DoorDash reportedly failed to cure the violation to AG Bonta’s satisfaction.

While the company stopped selling consumers’ personal information after receiving notice from the AG, the company apparently did not order any companies that had received the personal information to stop re-selling it.

In fact, Bonta found that DoorDash would have been unable to learn who had received the data, as its contract with the marketing co-op lacked any provision allowing DoorDash to conduct audits.

What happens to DoorDash now?

If the AG’s order is approved, DoorDash will have to:

• Pay a $375,000 civil penalty
• Enter into a three-year-long compliance program
• Provide an annual certification of compliance to the AG for the next three years

What does this case mean for privacy?

DoorDash’s penalty, assuming it’s approved by a judge, won’t break the bank. The mandatory compliance program will likely cost more, and DoorDash will be scrutinized by the California AG for at least three years.

But the case is a significant part of a bigger trend—US consumers are getting used to their new privacy rights.

The DoorDash customer whose data was sold by DoorDash—then resold “many times over” after falling into the hands of a data broker—was understandably upset by the incident. But just a few years ago, she would have had no recourse to do anything about it.

With new privacy laws in place across more than one-third of U.S. states (and counting), and increased scrutiny on data brokers and personalized advertising, expect consumers to start asking questions about how your business treats personal information.

Consider how you’ll respond to this wave of incoming “data subject requests”. Put systems in place to map your data, control your data flows, and easily find consumers’ personal information.

Key takeaways

• Under the CCPA, the definition of “selling” data is broad. If you’re sharing any data for contextual advertising it can be considered a sale.
• Your Privacy Choices is the standard link you should put on your homepage, which should allow customers to opt-out of their data being sold or shared. Alternatively you can put a “Do Not Sell My Information” link directly in the footer of your homepage. Take a look at examples on Salesforce, MyFitnessPal, and Care/of. For additional information, here are the Privacy Choices icon standards from the State of California Department of Justice.
• In addition to the “Do Not Sell or Share My Personal Information” link, companies must honor browser-based signals signaling a person’s request to not sell or share their data. Learn more about Global Privacy Control here.
• Don’t neglect CalOPPA. While less demanding than the CCPA, the law applies much more broadly—to any virtually commercial website operator that collects certain types of personal information from a California resident.
• “Curing” a violation means more than just stopping the violation. You must be able to put consumers in the position they would have been in had the violation not occurred. If you can’t do so, you can’t cure the violation.
• Be sure to comply with the CCPA when contracting with other parties in the sharing or selling of personal information. Ensure you can contact any other parties that might receive the personal information.

Helpful Resources

• Do Not Sell or Share Opt-Out Guide
• What is Global Privacy Control?
• Section 1798.135 of the CCPA as amended by CPRA on “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” requirements, or if applicable, a single link to both choices.
• CCPA opt-out icon standard
• Attorney General Bonta’s Feb 2024 announcement of settlement with DoorDash
• Attorney General Bonta’s Jan 2024 announcement on enforcement sweeps, including opt-out requirements
• DataGrail’s Trust Center